IRP_MJ_DIRECTORY_CONTROL ... ISSUE in Windows 7

NTFSD
1

Hi all,

I am working on MiniFilter driver, and intercepted on PostOperationCallback IRP_MJ_DIRECTORY_CONTROL AND IRP_MN_QUERY_DIRECTORY to Hide File of Folder list.

Its working fine when accessing via explorer, but when I used command prompt to and typed command “DIR” then I can see file/folder.

Note : its working fine on Windows XP problem with Windows 7.

Please, let me know if anybody know the solution…

Thanks

2
  • use process monitor tool to see which requests dir sends and what you
    return
  • are you sure you handle e.g. SL_RESTART_SCAN, SL_RETURN_SINGLE_ENTRY
    flags?
  • do you distinguish between returning STATUS_NO_SUCH_FILE /
    STATUS_NO_MORE_FILES?
  • check Information value you return

do you hide one entry or multiple entries?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Wednesday, February 02, 2011 8:37 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] IRP_MJ_DIRECTORY_CONTROL … ISSUE in Windows 7

Hi all,

I am working on MiniFilter driver, and intercepted on PostOperationCallback
IRP_MJ_DIRECTORY_CONTROL AND IRP_MN_QUERY_DIRECTORY to Hide File of Folder
list.

Its working fine when accessing via explorer, but when I used command
prompt to and typed command “DIR” then I can see file/folder.

Note : its working fine on Windows XP problem with Windows 7.

Please, let me know if anybody know the solution…

Thanks

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

Last time I saw that behavior in the Win32/Zbot virus. Explorer and
Total Commander doesn’t show a file, but if you query the directory
with a bit less usual file info class, you can see the file there.

Go go malware writers, fix your code.

L.

4

File hiding is used in much more than malware. Plus it is not supposed to stop a savvy user who has physical
access to the computer but others.

And to the OP: make sure you check all possible info classes, DOS prompt uses FileNamesInformation unlike
Explorer, IIRC.

xxxxx@volny.cz wrote:

Last time I saw that behavior in the Win32/Zbot virus. Explorer and
Total Commander doesn’t show a file, but if you query the directory
with a bit less usual file info class, you can see the file there.

Go go malware writers, fix your code.

L.

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

5

I do not think its a bug in windows 7, though a change is quite possible.

IIRC cmd send something different than the combination you are intercepting(IRP_MJ_DIRECTORY_CONTROL AND IRP_MN_QUERY_DIRECTORY). Just check with filespy, intercept that and it should work.

6

Hi all,

Thanks to all of you for support, I traced out IRP messages and found the solution.

IRP_MJ_DIRECTORY_CONTROL and IRP_MN_QUERY_DIRECTORY is correct way to intercept for directory, So, I compared its buffer with class of “FileFullDirectoryInformation” thats working fine to hide files/folders when accessing via command prompt.

Now, problem with the search element in the start menu item, I compared all classes :

FileBothDirectoryInformation

FileDirectoryInformation

FileFullDirectoryInformation

FileIdBothDirectoryInformation

FileIdFullDirectoryInformation

FileNamesInformation

FileObjectIdInformation

FileReparsePointInformation

But, I didn’t get in buffer in this condition.

Means, when I search this hidden files/folder in search of start menu then it show this file.

Thanks